Me and a coworker found that uBO blocks it. Also from my tests without uBO enabled it didn't scan every time (seemed to only scan when logged out, but that could have been a coincidence)
This image doesn't show any local ports trying to be accessed. I'm guessing this endpoint is what gets called after the scan is completed, but context is missing to be certain.
GDPR allows "necessary" data processing for "legitimate interests". IANAL but I believe a non-damaging portscan to check for security issues to be allowed. Especially as eBay has the legitimate interest to ward off fraud - and customers have the legitimate interest to have their accounts protected.
127.0.0.1 (aka localhost) isn't affected by your NAT setup. Your browser initiates this scan on the local loopback device, so the traffic will never even leave your computer (even on linux, it's somewhat difficult to get it to route 127.0.0.1 to another computer and it'll break a lot of applications in the process or make them insecure).
IPv6 with a public routed address still means there is a firewall, just like with NATv4. NATv4 just also has a NAT router with that firewall.
Tell that to every corporation on Earth, especially to Banks, that "port scanning your perimeter is an innocent thing". Tell that your employer as well and do tell us what's your job status afterwards.
(I am not downvoting the utterly silly grey comments - I want them to be visible to a) ;)
Consent is a voluntary agreement to something. Port scanning is definitely not something I would expect when browsing the web (And based on the amount of upvotes on the last thread, not something most of HN would expect), so how can I be consenting to it without knowing about it?
> Port scanning is definitely not something I would expect when browsing the web (And based on the amount of upvotes on the last thread, not something most of HN would expect)
Then you're a fool, frankly. Plenty of online services, web or otherwise, use port scans as a means to detect such things as open proxies or open MTAs.
What percentage of ebay visitors even know what portscanning is? How can somebody consent to something they aren't aware of, don't anticipate, and certainly don't even understand? Your notion of "consent" is an utter joke.
Maybe they might agree to such anti-fraud measures, but I don't think they have. I don't consider 'ignoring the terms of use buried at the bottom of the page or in small print' a legitimate form of indicated consent.
Agree with you that simply putting something in the terms of use doesn't necessarily indicate agreement. If they're only doing it to signed in users, then presumably they had the terms put in front of them at some point, but I think your objection is still fair in any case.
To what extent do they need consent to port scan, though? They're not intending to do anything malicious, and in fact (assuming you are the owner of the account that's signed in) they're doing it partly to benefit you. Is there a law against port scanning? Does it affect users in any way?
Open ports which are accessible to the Internet at large are not "machine internals". If you do not want someone to access your systems, then you should configure your systems to not allow that access.
They are open ports which are accessible to the Internet at large. Or at least, any site you go to. If you don't like that there are various means to close off those ports to your browsers (Windows firewall, network namespaces, etc).
This is suppose to help with fraud? Lets be serious for a moment. The only thing that this is going to change is that the supposedly hacked computers will no longer run VNC on standard ports.
I think what we might be seeing here is the outcome of some overpaid consultant's claim that they can protect ebay from fraud with 'sophisticated' malware detection.
Has anyone investigated how this protection works? That is, deliberately create an eBay account, log into eBay using a remote tool, and trigger the fraud detection? My curiosity is piqued, but I don't have an account to offer up.
I'm wondering if eBay displays a fraud warning, or pretends to allow the transaction to occur (shadow bidding?), or just hellbans the account being used.
For shill-bidding farms, the obvious counter is to move remote screen access to non-standard ports, or move to headless browser operation via other scripting methods.
It will just feed the data-point into an anti-fraud/anti-spam system along with everything else.
And the anti-fraud/anti-spam system is probably a machine learning black box. It will learn if this data-point is actually correlated with naughty behaviour, and what other factors are usually correlated.
It helps but there are projects like censys.io and shadowserver ebay can use instead of a direct scan.
Bad guys do use compromised seevers and devices,often it's bind() shell (like a webshell) that can easily be detected. I think it helps when they use compromised hosts as proxies to avoid IP restrictions.
You greatly overestimate the people who run these remote access scams. They struggle to edit html in devtools and a simple overlay element takes them >15 minutes and calling a supervisor to delete.
Let's be serious for a moment. A computer that is hacked and running remote access programs poses a MUCH higher risk of account hi-jacking for ebay and paypal purposes than another computer.
Feed that into a system that monitors lots of other inputs, and you start to build improved fraud detection systems. Most of these systems benefit significantly from long tail / long history monitoring - all the other providers of systems in this space try to get beacons onto virtually all the pages you visit, monitor all mouse and other movements you carry out etc.
Why not this pretty simple and straightforward explanation vs something complicated about overpaid consultants? Amazon does $80B of sales or something per year. Each 1% of fraud on this platform is worth $800 million. How overpaid must a consultant be who can knock this down?
I'm curious how someone with crypt in their name would ignore obvious remote access trojan installs as a threat vector?
I'm not ignoring anything. I'm simply stating that this is not an effective prevention method. I'm even going to argue that this can potentially _hurt_ whatever fraud system they have in place, as it could create a lot of false-negatives. Once the fraudsters pick up on this they'll change the ports. From then on, this script is useless.
At best, the result of the data points created by this script is going to create a temporary drop in fraud, which can be used by the aforementioned 'consultant' to claim (premature) victory. Give it a month or two, and the fraud numbers are going to go back to their previous levels.
Do you deal with fraud issues. My guess is not. "The fraudsters may adapt" is a complaint with almost all fraud fighting approaches - and yet many even older methods STILL have value even if fraudsters could work around them. Many fraudsters are using scripts and tools they don't even know how to modify but that circulate and are used. In person use has geo checks, so easy to avoid by using cards in a local area - but fraud prevention STILL picks up out of billing zip attempts at use.
So you'll be wrong here. And even a 6 month decline in fraud is highly valuable to any of these large scale players.
This site is a standard reblogger. They just regurgitate stuff that they find on other sites or even reddit and Facebook. They don’t add anything new to the story. If anything they take away some context from when it was originally reported. I some how despise it a lot, the y provide no value but consistently take away advertisement dollars and clicks from the original author.
Copying the JavaScript to “beautifier(.)io” will show that this script does more than just poet scan. It also uses some low-level fingerprinting techniques using flash and various fonts to determine browser type. It also produces a public and private key.
54 comments
[ 4.8 ms ] story [ 121 ms ] threadI thought about submitting the other article with my own title, but I didn't want to "editorialize".
But why should a user have to subject their machine internals to inspection by eBay? And, without their consent.
IPv6 with a public routed address still means there is a firewall, just like with NATv4. NATv4 just also has a NAT router with that firewall.
Tell that to every corporation on Earth, especially to Banks, that "port scanning your perimeter is an innocent thing". Tell that your employer as well and do tell us what's your job status afterwards.
(I am not downvoting the utterly silly grey comments - I want them to be visible to a) ;)
Then you're a fool, frankly. Plenty of online services, web or otherwise, use port scans as a means to detect such things as open proxies or open MTAs.
To what extent do they need consent to port scan, though? They're not intending to do anything malicious, and in fact (assuming you are the owner of the account that's signed in) they're doing it partly to benefit you. Is there a law against port scanning? Does it affect users in any way?
I think what we might be seeing here is the outcome of some overpaid consultant's claim that they can protect ebay from fraud with 'sophisticated' malware detection.
I'm wondering if eBay displays a fraud warning, or pretends to allow the transaction to occur (shadow bidding?), or just hellbans the account being used.
For shill-bidding farms, the obvious counter is to move remote screen access to non-standard ports, or move to headless browser operation via other scripting methods.
It will just feed the data-point into an anti-fraud/anti-spam system along with everything else.
And the anti-fraud/anti-spam system is probably a machine learning black box. It will learn if this data-point is actually correlated with naughty behaviour, and what other factors are usually correlated.
Bad guys do use compromised seevers and devices,often it's bind() shell (like a webshell) that can easily be detected. I think it helps when they use compromised hosts as proxies to avoid IP restrictions.
Check out some of this guys videos: https://www.youtube.com/channel/UCm22FAXZMw1BaWeFszZxUKw
Feed that into a system that monitors lots of other inputs, and you start to build improved fraud detection systems. Most of these systems benefit significantly from long tail / long history monitoring - all the other providers of systems in this space try to get beacons onto virtually all the pages you visit, monitor all mouse and other movements you carry out etc.
Why not this pretty simple and straightforward explanation vs something complicated about overpaid consultants? Amazon does $80B of sales or something per year. Each 1% of fraud on this platform is worth $800 million. How overpaid must a consultant be who can knock this down?
I'm curious how someone with crypt in their name would ignore obvious remote access trojan installs as a threat vector?
At best, the result of the data points created by this script is going to create a temporary drop in fraud, which can be used by the aforementioned 'consultant' to claim (premature) victory. Give it a month or two, and the fraud numbers are going to go back to their previous levels.
So you'll be wrong here. And even a 6 month decline in fraud is highly valuable to any of these large scale players.
The rest just need to notice they're no longer making money and being 1337, will get updated h4xx0r t00lz once the first group releases them.
Also, the BC article is highly sensationalized coverage with no links to actual source. smh, today's journalists
Wait. VNC is a Windows remote access tool? LOL.